add html attribute escaping

Pitasi · Sep 9, 2023 · 31f3c80 · 31f3c80
1 parent fd360bb
commit 31f3c80
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 2 deletions.
diff --git a/rscx-macros/Cargo.toml b/rscx-macros/Cargo.toml
@@ -15,6 +15,7 @@ proc-macro = true
 
 [dependencies]
 convert_case = "0.6.0"
+html-escape = "0.2.13"
 proc-macro2 = "1.0.66"
 proc-macro2-diagnostics = "0.10.1"
 quote = "1.0.33"

diff --git a/rscx-macros/src/lib.rs b/rscx-macros/src/lib.rs
@@ -145,7 +145,11 @@ fn walk_nodes<'a>(empty_elements: &HashSet<&str>, nodes: &'a Vec<Node>) -> WalkN
                                 // If the nodes parent is an attribute we prefix with whitespace
                                 out.static_format.push(' ');
                                 out.static_format.push_str("{}");
-                                out.values.push(block.to_token_stream());
+                                out.values.push(quote! {{
+                                   ::rscx::html_escape::encode_double_quoted_attribute(
+                                        (#block).as_str()
+                                    )
+                                }});
                             }
                             NodeAttribute::Attribute(attribute) => {
                                 let key = match attribute.key.to_string().as_str() {
@@ -155,7 +159,11 @@ fn walk_nodes<'a>(empty_elements: &HashSet<&str>, nodes: &'a Vec<Node>) -> WalkN
                                 out.static_format.push_str(&format!(" {}", key));
                                 if let Some(value) = attribute.value() {
                                     out.static_format.push_str(r#"="{}""#);
-                                    out.values.push(value.to_token_stream());
+                                    out.values.push(quote! {
+                                       ::rscx::html_escape::encode_unquoted_attribute(
+                                            &format!("{}", #value)
+                                        )
+                                    });
                                 }
                             }
                         }

diff --git a/rscx/Cargo.toml b/rscx/Cargo.toml
@@ -12,6 +12,7 @@ readme = "../README.md"
 
 [dependencies]
 axum = { version = "0.6.20", features = ["macros"], optional = true }
+html-escape = "0.2.13"
 rscx-macros = { workspace = true }
 tokio = { version = "1.32.0", features = ["full"] }
 tokio-util = { version = "0.7.8", features = ["rt"], optional = true }

diff --git a/rscx/src/lib.rs b/rscx/src/lib.rs
@@ -7,6 +7,8 @@ pub use rscx_macros::*;
 
 pub extern crate typed_builder;
 
+pub extern crate html_escape;
+
 pub trait CollectFragment<I>
 where
     I: Iterator,